Forum Discussion
Nat24
Nimbostratus
NimbostratusRemoving idle connection
Hi Experts, We are in this kind of situation wherein BIG-IP is keeping connections for more than an hour. We found out the reason why BIG-IP is behaving this way is because the server is continuousl...
Paulius
MVP
MVPNat24 Are you performing SSL termination on the F5 or is it terminated at the pool members?
NathCirrostratus
SSL termination is done by BIG-IP, the traffic is not HTTP and that is why we are having hard time monitoring the session if there are payload being sent since the start of connection. So basically we just wanted to overwrite the TCP idle timeout session and flush connections that go beyond 30mins since the start of session.
- Paulius
Nath I haven't had the opportunity to do it but you might be able to monitor the connection and when the F5 sees the keepalive flag come across it can set a timer and then kill the connection after a certain time. I do not believe this is the best use of the F5 because it's unnecessary overhead and is better handled by the server or you can just turn off keepalive if the majority of these connections are just sitting.
Nat24Thanks Paulius, I think we will just blindly close the session after 30 mins using an iRule. Since we observed that legit traffic with payload only lasts 4-5 seconds per transaction.
Hopefully this iRule help/works on our PROD.
when CLIENT_ACCEPTED {
set rtimer 0after 900000 {if { not $rtimer} {log local0. "[virtual] - client ip=[IP::client_addr]:[TCP::client_port]"drop}}}